Protection site

Personal Data Privacy Protection (PDPP) in the State of Qatar

The importance of data confidentiality:

Data confidentiality refers to the way in which information or data should be treated based on its relative value. It also refers to an individual’s ability to choose when, how and to what extent personal information about them is shared or transmitted to others. This personal information may include a person’s name, address, contact details and online or offline conduct. Privacy is considered a basic human right in many jurisdictions, and data protection legislation is in place to preserve this right. Additionally, data privacy is vital because in order for people to be willing to interact online, they must be confident that their personal information will be treated with care. In order to show their customers and users that they can trust their personal data, organizations implement data protection policies and procedures.

The recognition of the importance of data privacy by the Qatari legislator came to fruition when Qatar was one of the first countries in the Middle East to enact a national data privacy law (Law number 13 of 2016 on the protection of the confidentiality of personal data). The Compliance and Data Protection Department (CDP) of the Ministry of Transport and Communications issued 14 regulations on the PDPL in November 2020. The regulations clarify the law and impose additional compliance obligations on data controllers.

Law number 13 of 2016 on the protection of privacy of personal data:

The law consists of eight chapters and 32 articles, it entered into force in 2017. In addition, the law applies to personal data if it is one of the following:

  • Electronic processing
  • Obtained, collected or extracted in any other way before electronic processing
  • Processed using a combination of computerized and manual methods.

By law, every individual has the right to the confidentiality of their personal data. These data can only be processed in an environment that is transparent, honest and respectful of human dignity.

The main features of the law are as follows:

  • It includes all personal data processed in Qatar.
  • It includes full rights such as the right of access, deletion and rectification.
  • It obliges data controllers and companies to rectify any inaccurate disclosure of personal data to a third party.
  • Data controllers are not required to take precautions to restrict cross-border data transfers, unless there is a significant danger to the privacy or personal data of the controller. Supervisors should document their risk assessment and inform the relevant regulatory authorities.
  • In the event of an incident or violation, data controllers should report the violations to the MOTC CDP.
  • The penalties provided for by law range from QAR 1 to 5 million.

The 2020 Regulations:

The Compliance and Data Protection Department (CDP) has issued 14 regulatory recommendations on the Law. It adds new notions that were not previously protected. These concepts are related to the EU General Data Protection Regulation (GDPR). Additionally, the requirements require data controllers to undertake privacy impact assessments and maintain records of data processing procedures.